Category: Online Security

If you’re looking for added security when browsing on your Android device, look no further than NoScript. The popular Firefox extension has now been made available for Firefox Mobile. It’s called NoScript Anywhere.

Browsers have become extremely complex. With more and more platform-agnostic webapps appearing, users have been living and working inside a browser instead of a desktop. Google has been pushing Chromebooks that provide a full web experience using nothing more than their Chrome browser. Safari has gone mobile. Firefox has gone mobile. Opera has gone mobile. All these mobile browsers are gaining popularity, yet nobody has been addressing the issue with modern browsers: security.

NoScript allows users to selectively block Java, Javascript, Flash from executing without permission. It provides XSS (Cross Site Scripting) and ClickJacking protection using integrated plugins. The add-on has been completely re-written to support a mobile interface. Once installed, NoScript immediately starts blocking harmful web applets using the default recommended options. More advanced settings such as whitelisting, blacklisting, and granular permissions will be editable on a desktop and can be synchronized via Firefox Sync — keeping all your devices up-to-date, whether a mobile device or full blown desktop/laptop.

NoScript Anywhere allows the plugin to be installed without restarting Firefox Mobile. It provides an option for disabling automatic playback of Flash and Java applets, instead, a placeholder can be clicked to initiate execution of the plugin.

Naturally, NoScript Anywhere is based on the extremely popular open source NoScript extension written by Giorgio Maone, who also created the FlashGot Download Manager. The work started at the beginning of 2011, it took short 9 months of incubation before being completed and available for public use.

The majority of mobile browsers are based on WebKit, but are proprietary and different across the board by manufacturer. Android’s browser is based on Chromium, iOS’s based on Safari and BlackBerry’s based on a moldy flaming banana peel.

Firefox Mobile will hopefully become extremely popular among all smartphone users, and we will see NoScript Anywhere usage increase, making the web just a little bit safer for everybody.

In the raging browser wars, features, security and stability are paramount to competing. Opera might want to get a serious handle on things with the next release they push.

There is a memory corruption bug that has been present in Opera 10, 11 and the pre-release of 12 on Windows XP SP3. The vulnerability exists within SVG (Scalable Vector Graphics) layout handling. By nesting SVG functions within XML calls, an attacker is able to crash Opera. While crashing a browser might not seem like a huge deal to some, couple it with code injection and you have an exploit that can lead to complete remote code execution, and then it’s game over.

What might seem like a benign crash of your browser, might turn out to be an attacker positioning themselves to take control of your computer and network. Although it’s been previously broken, Jose also indicates it may be possible to bypass DEP, which is an active security feature provided by Microsoft, specifically made to prevent unwanted code execution.

Worried about privacy? Well you’re not alone. U.S Congressman Edward Markey has published an open letter to Amazon’s CEO, Jeff Bezos, demanding an answer to privacy issues.

With the recent announcement of the Amazon Kindle Fire, an Android tablet powering Amazon’s content store, the Silk browser came to the forefront as a great leap in browsing. While ‘proxy-browsing’ is nothing new, Skyfire and Opera Mini have been doing it for ages, Silk will be the primary way all Kindle Fire users browse the web. This allows for Amazon to collect a HUGE amount of data that can be used for advertising or other means of monetizing personal information. Imagine that, a company making money off your personal online habits.

What is the Congressman after? Answers about what Amazon is collecting, how they are collecting it and what they plan on doing with it. Markey specifically poses the questions and demands an answer within 3 weeks.

What information does Amazon plan to collect about users of the Kindle Fire?

Does Amazon plan to sell, rent or otherwise make available this customer information to outside companies?

How does Amazon plan to disclose its privacy policy to Fire and Silk users

If Amazon plans to collect information about its users’ Internet browsing habits, will customers be able to affirmatively opt in to participate in the data sharing program?

Thank you for your attention to this important matter. Please provide the responses to these questions no later than November 4, 2011.

Amazon has built a huge network of infrastructure to leverage “server-side browsing” and make it completely invisible to the user. Browsing data and purchasing information is constantly being sent to Amazon and there is no known way to opt-out. You could, of course, purchase one of the 30 other Android tabletson the market, that have unfettered access to the Amazon Kindle service.

While the Congressman does have his heart in the right place with these questions, especially considering he is Co-Chairman of the Congressional Bi-Partisan Privacy Caucus, this seems like a play using a very well known product to raise awareness for his ‘Do Not Track Kids’ legislation which attempts to protect online privacy for children. Won’t somebody think of the children?!

Do you really care if Amazon knows what you’re browsing the internet for? You probably already give that information to numerous other companies like Google or Facebook — what does one more Big Brother matter when you already have 6 looking over your shoulder?

In an attempt to help people stay safe on the Internet and manage the way of sharing information online, the Citizen’s Advice Bureau (CAB) has teamed up with Google to promote online safety in the UK and the rest of the world.

The campaign, which will include adverts in newspapers, on public transport and online, is basically done to create awareness about online safety and teach users to take suitable steps to ensure that they’re more secure when surfing the web (and other online activities). It also provides an overview of some of the security tools that Google offers.

Stay safe online – This section provides you with helpful tips and advice for staying more secured on the web. Some of the terms explained here are choosing strong passwords, phishing and malware attacks, identifying secure sites (https), safe networks, mobile security, family safety, shopping safety, and so on.

Your data on the web –This particular section explains how you can keep your data safe from hackers and phishers.

Your data on Google –Google here tries to explain its five privacy principles that describe how they approach privacy and user information across all of our products

Manage your data Lastly, Google elaborates on some of the ways of managing what you share online, with Google and with others. This section enlightens you about Google Talk, Incognito mode in Chrome, Google+ and +1 button, Google Docs, and so on.

The campaign also provides you with the following tips –

Use two-step verification for accounts, which will add an extra layer of security to your account.

Pick strong passwords, which are not-so-easy to crack.

Always look for “https” websites.

Campaigns like this are pretty good to learn, since they explain complicated stuff (safety advice) into simpler and easily understandable terms. This is Google’s first campaign advertising, other than their products like Google Chrome and Android mobile operating system.

Anthony House, Google Communications and Policy Manager said: Everyone wants to stay safe online, but many people aren’t confident that they know how to. We’re launching the Good to Know campaign and website to provide easy steps everyone can take.”

Gillian Guy, chief executive of the Citizens Advice Bureau added: We are delighted to be working in partnership with Google. Citizens Advice is all about straightforward, simple advice on the issues that matter, so helping people take control of their safety and privacy online is right up our street.

Fake anti-virus scams have been doing rounds for quite some time now. Hackers had previously used mediums, such as emails, websites etc. to carry out these scams. Now they have found another medium Skype.

Graham Cluley of Sophos has posted a video showing off the scam attempt in action. The MO is that of a common phishing attack, relying on inducing a sense of predicament on the victim. The automated call warns the victim that his/her computer is not protected and gives a link to follow in order to activate your computer protection’.

Following that link will take you to a web page that pretends to scan your computer. Not surprisingly, it will find some issues and will recommend you to buy their anti-virus software worth $19.95.

Image Credit: Naked Security

Obviously, when you get this kind of call, just disconnect it and don’t visit the websites that they mention.

Also, always use a reputed anti-virus, and more importantly make sure that it is fully updated. There’s no point in using an outdated antivirus. My recommendation for a good AV would be Microsoft Security Essentials as it is free and light on resources. But you can of course use other known anti-virus software, such as AVG and Avast.

Japan’s top defense contractor, Mitsubishi Heavy, has confirmed that it was a victim of a cyber-attack recently. The hack attempt targeted submarine, missile and nuclear plant data stored on their computers. Reportedly, malware was found on almost 80 computers inside the company, including 45 servers and 38 PCs. This confirms that there were 80 infected computers running at 11 Mitsubishi Heavy sites for an uncertain period, nearly half of which were servers.

The attacks on Mitsubishi Heavy were spotted for the first time on August 11 and the intrusion seems to have come from a spear-phishing attack. This form of phishing involves sending spoofed emails to the recipient, making it look like it comes from a known email address. The day of this attack was the 80th anniversary of the Manchurian incident.

Such allegations are groundless. The Chinese government has always opposed Internet hacking. Chinese laws prohibit hacking and other cybercrimes. I would like to emphasize that the Chinese government is willing to cooperate with other countries to fight against cybercrimes including hacking.

The matter is still under investigation and a Mitsubishi Heavy spokesperson has said,

There is no possibility of any leakage of defense-related information at this point.

Mitsubishi heavy is the largest and the most reputed defense contractor in Japan. IHI (Ishikawajima-Harima Heavy Industries), which is another defense contractor at Japan, was also hit by a similar attack. While Mitsubishi Heavy specializes in submarine technology, IHI is famous for its aircraft turbochargers.

This event has occurred four months after the largest defense contractor in the US was hit by a cyber-attack. In both these cases, it is amusing to see how China is linked to every cyber-attack on defense contractors.

Skype users on iOS devices should be on the look out for malicious users who intend on stealing their address book.

A vulnerability affecting Skype 3.01 on iOS devices, including the iPod Touch and iPhone, gives an attacker the ability to secretly upload the entire contents of your address book. The hole is due to a non-validated input field in the client, instead of the contents being displayed to the user, they are executed. Coupling XSS with sandbox permissions that do not allow for fine-tuned access control within apps, provides a way for an attacker to steal the contents of an unsuspecting user’s address book.

Skype has been criticised numerous times over identical vulnerabilities in their desktop software, that allowed for remote code to be executed on a victim’s computer. The flaw is one that Skype has had reported numerous times, fixed numerous times, yet they have not completely audited the applications before release.

Phil has detailed the attack performed against an iPhone 4 running iOS 4.3.5 and has indicated that the vulnerability was reported to Skype over a month ago. Hopefully a fix is in the works, but more importantly, hopefully Skype will perform a full check instead of simply throwing input sanitising on the vulnerable text field.

We have all heard about the Low Orbit Ion Cannon a deceptively powerful, yet quite simple tool for bombarding a server with meaningless data until all its resources are used to answer the bombarding queries instead of serving pages, commonly known as a Denial of Service (DoS) attack. Now, Anonymous has developed its own DoS tool, calling it RefRef.

RefRef was developed to assist the setup of #OccupyWallStreet, that will begin September 17, at noon at the famous financial district of New York City. Peaceful protesters will set up tents, kitchens and peaceful barricades and occupy the entire district for a few months.

On September 17, we want to see 20,000 people flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months. Once there, we shall incessantly repeat one simple demand in a plurality of voices.

(This one simple demand is still under vote, with Revoke Corporate Personhoodleading)

The expected number of campers is around 20,000. However, considering a similar protest that was done earlier at the same venue where protesters were spurned away by the police, only tomorrow will tell us what the real number of protesters there will be.

RefRef will be released at noon on September 17th along with the start of #OccupyWallStreet.

Tomorrow, Adobe will be releasing an Adobe Reader and Acrobat security update which will remove DigiNotar certificates from its trusted list. The update will be available for both Windows and Mac. Once installed,it will remove DigiNotar certificates from the Adobe Approved Trust List program’ or AATL. AATL basically is a program that allows users to create digital signatures so that a PDF signed with it is trusted whenever it is opened using Acrobat or Reader of version 9 and above.

This update is a result of the DigiNotar security breach in which a hacker supposedly generated hundreds of rogue SSL certificates. These certificates were used to spoof content, perform phishing attacks and more notably in man-in-the-middle attacks. All of the major browser vendors have now removed DigiNotar certificates from their trusted lists. Both Microsoft (Security Advisory 2607712) and Apple (Security Update 2011-005) have also released updates revoking trust of the DigiNotar certificates.

The Adobe update is rated as critical and it is recommended that all users of the aforementioned software install this update as soon as possible. The update can be downloaded from here once it is released. Adobe has also indicated that they will be enabling dynamic updates of AATL with a future update so that a user doesn’t have to manually install a patch to update the trusted list in scenarios like this.

In case you want to manually remove the DigiNotar certificates from AATL, instructions for both Adobe Reader and Acrobat can be found here.

Any major event that occurs will certainly draw people’s attention on the Internet. We had seen a huge chaos when the news of Osama Bin Laden’s death came in. When such events occur, scammers take advantage of users’ curiosity and create scam messages (including phishing attacks), and post them across social networking sites like Facebook, Twitter, or send phishing emails.

As the Hurricane Irene barrels up the East Coast, users on the Internet should lookout for scam messages and phishing attacks related to the storm news. It is likely that scammers will create phishing attacks and other malicious activity, and publish them across the Internet.

Facebook users are tricked very easily. When users click on scam links, they will be taken to bogus websites where they will be asked to complete online surveys or download malicious programs, such as a codec to watch a video. These malware programs are designed to gather user information including email ids, user names, passwords and credit card details. Sometimes these malicious programs are downloaded automatically where users are blindly infected.

I suggest all users on Facebook to be cautious, and do not blindly click on links that promise you to show videos or pictures, including those which are posted by your friends. This implies to users on Twitter as well. Watch out for re-tweets and DMs with links that lead to fake (clone) login pages where you will be asked to re-enter your username and password, causing a potential threat to your account.

Charity Scams

Watch where you donate! There are thousands of fake charity websites that are created, which attempt to collect donations to help hurricane victims. Do a research before making any donations and make sure that you’re donating to the right charity.

If you’re making any donations, then make sure that you avoid third party sites and organizations, and head straight to the charity’s main website that you want to reach out to.

The FBI has issued warnings about Hurricane Irene charity scams, and has offered some excellent tips to protect you against charity scammers:

Do not respond to unsolicited (SPAM) e-mail.

Be skeptical of individuals representing themselves as officials soliciting via e-mail for donations.

Do not click on links contained within an unsolicited e-mail.

Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.

To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.

Validate the legitimacy of the organization by directly accessing the recognized charity or aid organization’s website rather than following an alleged link to the site.

Attempt to verify the legitimacy of the non-profit status of the organization by using various Internet-based resources, which also may assist in confirming the actual existence of the organization.

Do not provide personal or financial information to anyone who solicits contributions: providing such information may compromise your identity and make you vulnerable to identity theft.

If you believe you have been a victim of a charity related scheme, contact the National Center for Disaster Fraud by